httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Burry <dbu...@tagnet.org>
Subject Re: SSL enabled name virtual hosts
Date Mon, 06 Mar 2006 10:08:11 GMT
Boyle Owen wrote:
> - You're right that since apache can't see the host header, it uses the cert from the
default VH to establish the SSL session. Thereafter, it *can* see the host header and so can
route the requests successfully. This give a lot of people the illusion that SSL-NBVH is possible.
The big problem is that you don't get authentication because the default cert, generally,
will not match the requested site. For professional SSL, authentication is every bit as essential
as encryption so this won't do.
>   
We use a "wildcard cert" to overcome this situation... the technical 
limitation is that all the SSL "hosts" have to end with the same domain 
(a wildcard cert is bound to our domain, not any individual host name), 
but otherwise we can and do indeed run hundreds (soon to be thousands) 
of customers on their own individual host names under SSL, all on port 
443 on one instance of apache.  Unfortunately we have to do funny 
mod_rewrite trickery to simulate NBVH instead of using real NBVH....  I 
suspect it would be a major change in Apache architecture to use real 
NBVH in our case (but otherwise, yes, it absolutely could be technically 
possible, given the all-must-be-in-the-same-domain, and must use a 
"wildcard cert" limitations).

Dave


Mime
View raw message